How the *^$µ

[HTRegz]

Hey Hey,

From what I can see you've posted nothing that shows a real security risk. OWA is commonly used in large corporations. As much as I dislike Exchange, it is a highly used "messaging and collaboration server" (to quote MS). So they are running NT... yes it is older software, however it can still run stably (is that a real word?) and securely. As far as running an FTP server? Many, and I mean MANY, businesses have FTP servers running. The last point you mentioned was weak passwords... unfortunately weak passwords are a fact of life. You still need a username to match that password and once you have the usernames (I'm sure they could be found easily while enumerating the network), Exchange doesn't provide the easiest interface to brute force. You'd have to do it through OWA, which means you need software that brute forces browser pop-up boxes and even then, Exchange is probably using account lockouts. If not, you've said you've seen the logs, so someone will most likely see the lots before someone get's access. Like I said, weak passwords are everywhere these days and brute forcing really isn't worth the risk, even to a lot of script kiddies. When you have the file locally and can brute force it without anyone knowing that's a different story. You want the firm to see that they aren't secure, which to me says you aren't the IT guy. If you were, you could secure the network regardless of the software running, otherwise you aren't doing your job. Based on my assumption that you aren't the IT person (I know assumptions are bad), it's quite possible you don't know everything that's running in the background. To me it sounds like the entire thing is a fairly common setup, not something that poses a huge security risk.

Peace,
HT

[Cemetric]

As this is a big firm wich gets his funding from the city I'm not the only IT-guy.

My job consists out of troubleshooting occuring problems ...we have other guys doing the manageable tasks.

This means these guys are responsible for applying patches and updates and things.
They do other stuff as well but being this a new function for about a year now I can say there hasn't been a lot of updates and patches lately.

So every time there is a problem ..like the crashing of the IIS from the OWA server we have to solve the incident (restarting the IIS) but if it keeps on crashing (and we know why) we are obligated to give the problem to the other guys so they can "solve" the problem.

Now I don't have anything against these guys ..they do their job the best they can ...it's the entire structure of the company which changed about a year ago.

So I know NT can be save (if you keep it up to date) ...and OWA is necessary ... but if you combine everything like the weak passwords (whic also apply to this FTP) and the lack of updates and what not... I can tell you it takes the fun right out of the job.

So in short ..if I had the possibility to update these servers without getting chewed out by my bosses because that is not my resposibility (yes I've tried) then I would have done that ...

Anyway let's just say I'm searching for a new employee then ...thanks for the help guys I appreciate it.

Gr33tz

[instronics]

HTRegz said :

it's quite possible you don't know everything that's running in the background. To me it sounds like the entire thing is a fairly common setup, not something that poses a huge security risk.

Whilst this 'can' be very true it is not always fact. Here in Greece, things are a bit weird when it comes to data security. (Data in my example is a general term from physical security all the way to network security including all the in betweens.) Let me leave out the few exceptions of major firms we have in our capital city like Siemens, a very few banks, etc. I live in the south of Greece (Peloponese), where computer security is a joke all the way upto 'non existant'. It has alot todo with mentality, not failure of knowledge. Alot of bigger firms here in the south dont bother about stuff like that. There are many factors that influence this situation. Many companies here just have the simplest default setups for their systems/networks, many dont even have passwords for their accoounts. The people here are not aware of any dangers, nor will they be until they get hit by a bad suprise. Im sure this applies elsewhere too. Back to the original subject.....

If i went round to a few companies and did a very basic little simple security testing, i could find truckloads of unsecure systems/networks. Pointing it out to them, will just result in being laughed at (not becuase i dont know if there is anything in the background that secures anything), but because they cannot imagine that any of these threats are real. One of our major newspapers company have a major problem with virii..... I once had a look at their AV software, and the virus definitions were dated back to 2001, not to mention that the only firewall was a puny lil router with its factory's default admin login enabled accepting telnet connections from the outside (ROFL). This setup was sold by a computer company 'chain', which sells pre- installed boxes with win 98, win 2000 etc, and does not do ANYTHING about security at all, telling their customers nothing about security issues. On one hand, if they did tell them and explain certain things, then the customers would not keep comming back and paying money for reformats and reinstallations of broken systems. Its all pitiful here when it comes to these things.

Within 500 km, i cant think of ONE single firm which even has their own system admin. I once put an add in a newspaper looking for a job in the computer security field. A security company (one that sells home security, cash transfers etc...) took me in, and wanted me to tighten their systems. After 5 months there, i got fired for the reason that nothing happened to their systems , and that paying me as an admin was a waste of money and time (i couldnt prove to them that 'nothing' happened within those 5 months, since i had tightened alot of things). I even got shouted at, for expenses for empty cds, for backup purposes. They told me that backups were a waste of time and money (cdr/cdrw and its blanks), now when talking to a friend who works there as a secretary, she tells me that all the boxes now have NO passwords, that they took out my dedicated firewall i had put, and put a freakin lil router there which was accepting logins from the outside using factory defaults (yes, i had to try it out after i found out in order to believe it), but i know that theres no one there that would even read the 'login logs' on that router, since the company that sold that router to them prolly doesnt even know that a router keeps logs in the first place. Its sick, i mean come on, a security company does hold sensitive data, like the points of where an alarm system is placed, where cameras are positioned, routes for money transerfers, etc...., but just because they dont believe that cyber threats really exist (other than in the movies), they do nothing about it.

Im sorry if my little rant here went kinda offtopic, but because this is the way things work around here, im stuck as a painter painting contstruction sites (i cant even get a job here as a tech, because the shops are scared to have to pay me a real salary since i am knowledgable, and they prefer to pay 1/2 the price to some idiot who has no idea).
A computer tech here in our area will not get more than 500 euros /month, and as an admin in that security firm i got no more than 320 euroes a month. Thats just about enough to pay the rent for a crappy lil room.

Soooooo, once again, back to the original topic at hand
Sometimes theres nothing you can do! If its not in your hands, and no one takes your advice seriously, theres really not much that can be done. I have tried myself to offer seminars to all the computer shops, aswell as many firms, but noone is interested in that kinda stuff. Dont get me wrong, by no means am i saying 'give up', but dont let it get to you like that. Your not responsible for those issues from waht i can tell by your posts. Ofcourse it will bother you being an admin, it bothered me too seeing all these systems unsafe (our hospital is sending its data to other hospitals without any sort of VPN, or secure transfer methods), sooo until they are all in for a bad surprise, some companies will continue to have crappy security and cheap default setups.

I would suggest you keep trying, and bugging the people in charge, but dont do anything that would endager your job or position. If they are that stubborn and stupid, then let them suffer the results of that. Sooner or later, someone will take advantage of those weaknesses, and then.... BANG.

Sorry if my post was confusing or made no sense.....

Cheers

[nihil]

Hey Cemetric,

How are ya dude?.........yes, I am still talking to you ...............I have a question for you:

Was your job "outsourced", like they brought in another lot to run things? or have you allways had that job?

Yes, it does matter............

I am very willing to help, if I can.................I have done quite a few security demos in my time

Good luck!

Wacht Heil!

[Cemetric]

Hey nihil

Was your job "outsourced", like they brought in another lot to run things? or have you allways had that job?

No I was not outsourced I work there for over 4 years now ... and instead of going forward I'm going backwards.

If I see or hear sometimes how things go in other firms (like in the states) then I get a bit "jealous" ..I know the gras is always greener on the other side but still.

I'm gonna ask my colleague ..who does the same job as i do (solving other peoples mistakes)..if he wants to participate ..cuzz he to is sick of these things.

One other of the main things which causes problems is the fact that all the remote sites like hospitals , police and some city ordinances have local LAN-admins (former secretaries or janitors ( no kidding) whose hobby is computing) which have access to the AD and the local servers ... We've actualy done something about that ...they now only have access to their OU (pffeeww ) ...and still they manage to get confused about it (but what do you expect)...

Anyway thanks for the offer nihil ...if I wana pick your brain the comming week(s) I'll PM you ..ok?

[nihil]

It is a few years since I worked over in your country.............like in Brussels.......Bruxelles?


They were nice years

[Cemetric]

I guess it was the beer ...

They keep comming back for the beer

I don't blame them though

I've worked in Brussels ...but now I work in Antwerp.

Late nights ..early mornings